selinux June 2015

selinux@lists.fedoraproject.org

14 participants
17 discussions

transition from init_rc
by Tracy Reed 08 Dec '15

08 Dec '15

I think I'm really close to having this policy finished and working, just a couple things to work out... When I exercise my app and then run audit2allow and it says: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow myapp_t default_t:dir search; allow myapp_t default_t:dir read; allow myapp_t default_t:file execmod; allow myapp_t myapp_bin_t:file write; does it mean only the first line is an constraint violation? Or are all of those constraint violations? How does one typically deal with constraint violations? By attribute above I suppose it means a type attribue but how do I know which one to add? Then I have these: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t default_t:file relabelto; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow initrc_t myapp_api_t:file relabelto; The init script which starts the service relabels the files when the service starts. I suspect this is a bad idea and I'm not sure why they are doing it. I think they may be applying security categories here. We may have to find a different way to approach that. But how would I allow this if I wanted to? Similarly: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t default_t:file relabelfrom; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow setfiles_t myapp_api_t:file relabelfrom; etc... This is all on CentOS 6.5. Thanks! -- Tracy Reed

4 5

deny_execmem Rhel7
by Tim.Einmahl＠kba.de 23 Jun '15

23 Jun '15

Hi, in Rhel6 there was a SElinux-type called java_exec_t, so it was possible to use allow_execmem set to off but to run java without problems if it was labeled correctly. In Rhel7 the type java_exec_t seems to have gone so setting deny_execmem leads to problems running java. But I don't want to set deny_execmem globally. Any idea how to achieve that? Regards Tim

2 1

'su' in a Docker container -> AVC
by Laurent Rineau 23 Jun '15

23 Jun '15

I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally. That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment). Two questions: 1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI? 2/ What should I do to fix that issue, if that is one? I copy-paste here the AVC (the attached email have more information): type=AVC msg=audit(1434542552.136:6332403): avc: denied { search } for pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null) -- Laurent Rineau http://fedoraproject.org/wiki/LaurentRineau

2 7

"SELinux insides" blog
by Miroslav Grepl 16 Jun '15

16 Jun '15

Hello, Yesterday I started with a new blog set called "SELinux insides". See https://mgrepl.wordpress.com/2015/06/14/selinux-insides-part1-policy-module… Your comments, ideas are welcome. Thank you. Regards, Mirek -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.

2 3

New issue with Fedora 22
by David Highley 15 Jun '15

15 Jun '15

semodule -i *.pp libsepol.permission_copy_callback: Module my_logrotate depends on permission kill in class service, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). If we try semodule -r my_logrotate it fails to remove with the same complaint about my_fail2ban which is the one we were trying to reinstall as it seems to not be functioning as we see the following avc which we allow in the policy. This is on a system we did a fedup from Fedora 21. time->Mon Jun 15 01:10:47 2015 type=AVC msg=audit(1434355847.063:29227): avc: denied { net_admin } for pid=12476 comm="firewall-cmd" capability=12 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0

1 0

Re: SELinux: Interface Labeling Problem
by Maurizio Pagani 11 Jun '15

11 Jun '15

ok, imattached also the community on this thread. Please someone can help me? Thanksa Il giovedì 11 giugno 2015, Paul Moore <paul(a)paul-moore.com> ha scritto: > On Thu, Jun 11, 2015 at 4:22 PM, Maurizio Pagani <pag.maurizio(a)gmail.com > <javascript:;>> wrote: > > Any idea??? Please is important. > > As Stephen already mentioned, please repost your question to the > mailing list so that others can benefit. > > > Il giovedì 11 giugno 2015, Gmail <pag.maurizio(a)gmail.com <javascript:;>> > ha scritto: > >> > >> Hi Stephen, > >> > >> ok, but with peer labeling i saw that is not possible block a specific > >> domain to use an interface labeled with netif_hostonly_t, right? If > not, how > >> can i block a specific domain, to use my network interface? > >> > >> However the next questions, i'll write to distribution list > >> > >> Thanks in advance, > >> > >> > >> > >> > >> Maurizio Pagani > >> Systems and Security Specialist > >> > >> > >> Kay Systems Italia > >> www.ksi.it > >> Viale Libano , 80 - 00144 Roma > >> fax: +39 06 542799-60 > >> mobile: +39 335 1382689 > >> e-mail: maurizio.pagani(a)ksi.it <javascript:;> > >> > >> -----Messaggio originale----- > >> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov <javascript:;>] > >> Inviato: giovedì 11 giugno 2015 14:49 > >> A: Gmail; paul(a)paul-moore.com <javascript:;>; james.l.morris(a)oracle.com > <javascript:;>; 'Daniel J > >> Walsh'; 'Dominick Grift'; 'Sven Vermeulen'; eparis(a)parisplace.org > <javascript:;> > >> Oggetto: Re: SELinux: Interface Labeling Problem > >> > >> Is there a reason you didn't post this to selinux list > >> (selinux(a)tycho.nsa.gov <javascript:;>, subscribe via > selinux-join(a)tycho.nsa.gov <javascript:;>)? > >> We prefer questions to go to the list so that they are archived for > others > >> and anyone in the community can respond to them. > >> > >> In any event, SELinux network permission checks have changed over time. > >> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy > >> network checks that were removed in Linux 2.6.30. netif { ingress > egress } > >> are newer checks that are only enabled if you have configured peer > labeling > >> via NetLabel or labeled IPSEC/xfrm. > >> > >> On 06/11/2015 06:27 AM, Gmail wrote: > >> > Hi everybody > >> > > >> > > >> > > >> > I’m Maurizio Pagani (LordFire in #SELinux IRC freenode). > >> > > >> > I write to you, because i’m implementing a SELinux solution with > >> > particular attention about Network Labeling. > >> > > >> > I’m doing this trough some blog(Paul Moore in particular, Walsh and > >> > other) and books (Sven Vermeulen), but now i’m blocked in a little > >> > problem that cannot permit me to go on. > >> > > >> > > >> > > >> > The subject is : *“Interface Labeling”.* > >> > > >> > > >> > > >> > In few words i created a very simple policy called > >> > *“netif_hostonly_t”* the .te is this: > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > policy_module(netif_hostonly, 1.0.0) > >> > > >> > > >> > > >> > require { > >> > > >> > type unconfined_t; > >> > > >> > class netif { tcp_recv tcp_send udp_recv udp_send ingress > >> > egress } ; > >> > > >> > } > >> > > >> > > >> > > >> > #I declare my type > >> > > >> > type netif_hostonly_t; > >> > > >> > > >> > > >> > allow unconfined_t netif_hostonly_t : netif { tcp_recv tcp_send > >> > udp_recv udp_send ingress egress } ; > >> > > >> > > >> > > >> > > >> > > >> > *Next Step:* > >> > > >> > > >> > > >> > semanage interface -a -t netif_hostonly_t eno50332208 > >> > > >> > > >> > > >> > I checked that is labeled correctly > >> > > >> > > >> > > >> > But i don’t see any avc denied messages, this is the problem, i though > >> > that as always, SELinux block everything and after trough RAW SELinux > >> > language (allow/dontaudit/auditallow/neverallow), we can open specific > >> > communications, but instead i don’t see anything. > >> > > >> > I’m wron something? It is not very clear on the web, or in the other > >> > blogs / books, because maybe i need of a SECMARK rule? But is not > >> > specific as a requirement, because also “port labeling” is used > >> > without set SECMARK rule. > >> > > >> > > >> > > >> > Please i’m blocked with my customer project, for this (i think) stupid > >> > problem, maybe you know surely the solution, and can share with me. > >> > > >> > > >> > > >> > Thanks in advace, > >> > > >> > > >> > > >> > Maurizio Pagani > >> > > >> > > >> > > >> > > ------------------------------------------------------------------------ > >> > Avast logo <https://www.avast.com/antivirus> > >> > > >> > Questa e-mail è stata controllata per individuare virus con Avast > >> > antivirus. > >> > www.avast.com <https://www.avast.com/antivirus> > >> > > >> > > >> > >> > >> > >> --- > >> Questa e-mail è stata controllata per individuare virus con Avast > >> antivirus. > >> https://www.avast.com/antivirus > >> > > > > > > -- > paul moore > www.paul-moore.com >

1 0

Policy not taking effect
by Marko Rauhamaa 10 Jun '15

10 Jun '15

To learn about selinux, I am trying to create a policy that would assign the file /etc/xyz the type tuned_log_t. I have: ===begin xyz.te========================================================= policy_module(xyz, 1.0.0) ===end xyz.te=========================================================== ===begin xyz.fc========================================================= /etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0) ===end xyz.fc=========================================================== Then I execute: # rm -f /etc/xyz # make -f /usr/share/selinux/devel/Makefile xyz.pp Compiling targeted xyz module /usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/xyz.mod Creating targeted xyz.pp policy package rm tmp/xyz.mod.fc tmp/xyz.mod # semodule -i xyz.pp # touch /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz # restorecon /etc/xyz # ls -Z /etc/xyz -rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz Why is /etc/xyz not getting the correct type immediately as the policy would dictate? Marko

3 2

secure_mode_policyload troubles
by George Karakougioumtzis 08 Jun '15

08 Jun '15

After an upgrade to fedora 22 i was able to solve all the problems i had with systemd-logind not being able to register user sessions and everything except polkit was working flawlessly in enforcing mode(well since polkit is responsible for shutting down the system from the gnome-shell and i cant do that you cant say its a flawless desktop experience but ok it solved many other problems). Now after i turned on secure-mode_policyload boolean i am at the same state. Pulseaudio is not working, loginctl shows no user sessions with a message of start user slice failed and polkit doesn't work for any of my users. Audit subsystem doesn't reveal anything useful. Even if i turn of the boolean i stiil have these problems. Where to go from here?

2 3

Adding new type
by Marko Rauhamaa 08 Jun '15

08 Jun '15

<URL: https://fedoraproject.org/wiki/Security_context?rd=SELi nux/SecurityContext> : The 3rd component of the security context is the Type component, for example /usr/sbin/httpd is labeled with a type of “httpd_exec_t". In my opinion this is the most important field in the SELinux security context. This is the heart of SELinux Type Enforcement. Most of the policy rules in SELinux revolve around what subject types have what access to which object types. By convention this component always ends in a "_t". I am a developer creating a new type of service. Let's call it "abcd." Am I expected to have my RPM package create a new type "abcd_exec_t"? What document describes the proper steps to introduce the type to the system? Marko

4 6

Re: CentOS 7 selinux policy bug [SOLVED]
by mark 03 Jun '15

03 Jun '15

Dan, On 06/01/15 16:27, m.roth(a)5-cent.us wrote: > From: "Daniel J Walsh" <dwalsh(a)redhat.com> > Cc: "Miroslav Grepl" <mgrepl(a)redhat.com> > On 05/29/2015 04:34 PM, m.roth(a)5-cent.us wrote: >> Daniel J Walsh wrote: >>> On 05/29/2015 01:03 PM, m.roth(a)5-cent.us wrote: >>>> Daniel J Walsh wrote: >>>>> On 05/29/2015 09:20 AM, m.roth(a)5-cent.us wrote: >>>>>> CentOS 7.1. Selinux policy, and targetted, updated two days ago. >>>>>> >>>>>> May 28 17:02:41 <servername> python: SELinux is preventing >>>>>> /usr/bin/bash from execute access on the file /usr/bin/bash.#012#012***** <...> <snip> >> > I just pushed this to fedora upstream policy > > commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7 > Author: Dan Walsh <dwalsh(a)redhat.com> > Date: Mon Jun 1 08:59:29 2015 -0400 > > rsync server can be setup to send mail > > You can add the rules locally by compiling and installing this policy > create myrsync.te to look like the following > # ========================================= > policy_module(myrsync, 1.0) > > gen_require(` > type rsync_t; > ') > mta_send_mail(rsync_t) > # ========================================== > > Then execute > > # make -f /usr/share/selinux/devel/Makefile > # semodule -i myrsync.pp <snip> I installed selinux-policy-devel, it built and I installed it, and it appears to fix my problem. Thanks again, Dan. mark

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2015